neconyd | 647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917

Analysis

max time kernel
116s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/01/2025, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe
Size

96KB
MD5

cb89fabf46dead53d02318d1f5ff7060
SHA1

f54c253780c05f55b093391bf5ae8f7c977ecaa8
SHA256

647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917
SHA512

c8bab8add53a24ccdae937c1282dd8f1e4a7bdef5477f1b01adcd2e72add5ef5b03f04675e53a0a0ecbfb371a521ae012bf94bd9eb2152c41049b4adec507bc6
SSDEEP

1536:fnAHcBbLmdvduLd8IDiaP/8A68YaiIv2RwEYqlwi+BzdAeV9b5ADbyxxB:fGs8cd8eXlYairZYqMddH13B

Score

10^/10

neconyd discovery trojan

Malware Config

Extracted

Family

neconyd

http://ow5dirasuek.com/

http://mkkuei4kdsz.com/

http://lousta.net/

Signatures

Neconyd
Neconyd is a trojan written in C++.
trojan neconyd
Neconyd family
neconyd

Executes dropped EXE 6 IoCs

pid	Process
1716	omsecor.exe
2792	omsecor.exe
1292	omsecor.exe
2928	omsecor.exe
2372	omsecor.exe
1244	omsecor.exe

Loads dropped DLL 7 IoCs

pid	Process
2344	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe
2344	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe
1716	omsecor.exe
2792	omsecor.exe
2792	omsecor.exe
2928	omsecor.exe
2928	omsecor.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\omsecor.exe	omsecor.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2060 set thread context of 2344	2060	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe	29
PID 1716 set thread context of 2792	1716	omsecor.exe	31
PID 1292 set thread context of 2928	1292	omsecor.exe	34
PID 2372 set thread context of 1244	2372	omsecor.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omsecor.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2344	2060	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe	29
PID 2060 wrote to memory of 2344	2060	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe	29
PID 2060 wrote to memory of 2344	2060	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe	29
PID 2060 wrote to memory of 2344	2060	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe	29
PID 2060 wrote to memory of 2344	2060	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe	29
PID 2060 wrote to memory of 2344	2060	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe	29
PID 2344 wrote to memory of 1716	2344	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe	30
PID 2344 wrote to memory of 1716	2344	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe	30
PID 2344 wrote to memory of 1716	2344	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe	30
PID 2344 wrote to memory of 1716	2344	647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe	30
PID 1716 wrote to memory of 2792	1716	omsecor.exe	31
PID 1716 wrote to memory of 2792	1716	omsecor.exe	31
PID 1716 wrote to memory of 2792	1716	omsecor.exe	31
PID 1716 wrote to memory of 2792	1716	omsecor.exe	31
PID 1716 wrote to memory of 2792	1716	omsecor.exe	31
PID 1716 wrote to memory of 2792	1716	omsecor.exe	31
PID 2792 wrote to memory of 1292	2792	omsecor.exe	33
PID 2792 wrote to memory of 1292	2792	omsecor.exe	33
PID 2792 wrote to memory of 1292	2792	omsecor.exe	33
PID 2792 wrote to memory of 1292	2792	omsecor.exe	33
PID 1292 wrote to memory of 2928	1292	omsecor.exe	34
PID 1292 wrote to memory of 2928	1292	omsecor.exe	34
PID 1292 wrote to memory of 2928	1292	omsecor.exe	34
PID 1292 wrote to memory of 2928	1292	omsecor.exe	34
PID 1292 wrote to memory of 2928	1292	omsecor.exe	34
PID 1292 wrote to memory of 2928	1292	omsecor.exe	34
PID 2928 wrote to memory of 2372	2928	omsecor.exe	35
PID 2928 wrote to memory of 2372	2928	omsecor.exe	35
PID 2928 wrote to memory of 2372	2928	omsecor.exe	35
PID 2928 wrote to memory of 2372	2928	omsecor.exe	35
PID 2372 wrote to memory of 1244	2372	omsecor.exe	36
PID 2372 wrote to memory of 1244	2372	omsecor.exe	36
PID 2372 wrote to memory of 1244	2372	omsecor.exe	36
PID 2372 wrote to memory of 1244	2372	omsecor.exe	36
PID 2372 wrote to memory of 1244	2372	omsecor.exe	36
PID 2372 wrote to memory of 1244	2372	omsecor.exe	36

C:\Users\Admin\AppData\Local\Temp\647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe
"C:\Users\Admin\AppData\Local\Temp\647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe
  C:\Users\Admin\AppData\Local\Temp\647c27729b0c7c233098badffddc9e0fcf375d4ae9130800107613d1f3672917.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Roaming\omsecor.exe
    C:\Users\Admin\AppData\Roaming\omsecor.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Roaming\omsecor.exe
      C:\Users\Admin\AppData\Roaming\omsecor.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\System32\omsecor.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Windows\SysWOW64\omsecor.exe
        
        C:\Windows\SysWOW64\omsecor.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        
        C:\Users\Admin\AppData\Roaming\omsecor.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
d458833caeda2ec19cb80eb10e378062

SHA1
f3bf4948fc59b415d501a1869a2ba8c8085e2a40

SHA256
98b322fd7d9176551e8fc07155e6d41a7f02c0bbf860a833b567553dad339640

SHA512
e432c253a690f4a1cc8ddec9abbbcad38b7af0fcff2e61d9a648d4c2e3217a60c57299b14edda358c10cdb4f337d5f8ebb80897300e3be22c40364e4d77a4147

Download Submit
\Users\Admin\AppData\Roaming\omsecor.exe

Filesize
96KB

MD5
8d8e58fed6b389848119a74151a8cce0

SHA1
d3d657d546417690834819df689ce330b1783313

SHA256
7b1b1f9621d4fbd7c0769127869759fb695de6da0f263fdcfb1c8179b87b073d

SHA512
05c953a5ca413d68fae52981b8ef0566ce780c447f2e107629cb9f88213e853733cae16496b49a5fcd74c8d24626facd94353e2990cbc55f0b869427b1bf71a0

Download Submit
\Windows\SysWOW64\omsecor.exe

Filesize
96KB

MD5
a8a2ec2929a30927f3d478a232360a55

SHA1
b159d32c1016953b08581768b868434db5913c3a

SHA256
bc4fc40ce49bf788ae678bf9b95777d33490de36253a3a3468efd6e6ea8a48c7

SHA512
03b1e493032739d8a73bf03942181322afdcfad85c85eb277eb23dc923675c8daac190283e2a35d438f04a245cff87572c1058b3d8ae94cd95f891de88493e8f

Download Submit
memory/1244-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1292-67-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1292-55-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1716-21-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1716-31-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2060-8-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2060-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2344-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2344-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2344-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2344-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2344-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2372-87-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-80-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2792-40-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2792-52-0x0000000000530000-0x0000000000553000-memory.dmp

Filesize
140KB

Download
memory/2792-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2792-47-0x0000000000530000-0x0000000000553000-memory.dmp

Filesize
140KB

Download
memory/2792-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2792-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2792-34-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2928-72-0x0000000000230000-0x0000000000253000-memory.dmp

Filesize
140KB

Download